Closed forderud closed 1 year ago
Registry folder with WMI class security: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security
WMI classes with default security doesn't seem to be listed.
Feedback Hub report on leaking security descriptors after driver uninstall: https://aka.ms/AAmidja
Registry dump:
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security Class Name: <NO CLASS> Last Write Time: 9/2/2023 - 5:38 AM ... Value 520 Name: 07982702-2086-4b83-9444-34989bb10554 Type: REG_BINARY Data: 00000000 01 00 04 80 5c 00 00 00 - 6c 00 00 00 00 00 00 00 ....\...l....... 00000010 14 00 00 00 02 00 48 00 - 03 00 00 00 00 00 18 00 ......H......... 00000020 ff 0f 12 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ........... ... 00000030 20 02 00 00 00 00 14 00 - 01 00 00 00 01 01 00 00 ............... 00000040 00 00 00 01 00 00 00 00 - 00 00 14 00 ff 0f 12 00 ............ÿ... 00000050 01 01 00 00 00 00 00 05 - 12 00 00 00 01 02 00 00 ................ 00000060 00 00 00 05 20 00 00 00 - 20 02 00 00 01 02 00 00 .... ... ....... 00000070 00 00 00 05 20 00 00 00 - 20 02 00 00 .... ... ...
This perfectly matches the security descriptor specified in the INF/INX file. Proof:
PSECURITY_DESCRIPTOR sd = nullptr; ULONG sd_size = 0; ConvertStringSecurityDescriptorToSecurityDescriptorA("O:BAG:BAD:(A;;0x120fff;;;BA)(A;;CC;;;WD)(A;;0x120fff;;;SY)", SDDL_REVISION_1, &sd, &sd_size); std::vector<BYTE> sd_vec(sd_size, 0); memcpy(sd_vec.data(), sd, sd_size);
sd_vec content:
sd_vec
01 00 04 80 5c 00 00 00 - 6c 00 00 00 00 00 00 00 14 00 00 00 02 00 48 00 - 03 00 00 00 00 00 18 00 ff 0f 12 00 01 02 00 00 - 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 - 01 00 00 00 01 01 00 00 00 00 00 01 00 00 00 00 - 00 00 14 00 ff 0f 12 00 01 01 00 00 00 00 00 05 - 12 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 - 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 - 20 02 00 00
wmi_security.reg.txt
Completed in 4d6c04553648e11ed11b8553858a004713a16af0
Registry folder with WMI class security:
HKLM\SYSTEM\CurrentControlSet\Control\WMI\Security
WMI classes with default security doesn't seem to be listed.
Feedback Hub report on leaking security descriptors after driver uninstall: https://aka.ms/AAmidja
Current security
Registry dump:
This perfectly matches the security descriptor specified in the INF/INX file. Proof:
sd_vec
content:wmi_security.reg.txt